7. Known Issues

The following are some of the most important known issues in Directory Server 9.0. If applicable, supported workarounds are also described.

Table 3. Known Issues in Directory Server 9.0

Bug Number Description Workaround
158369 The sync attribute mapping for groups includes a number of attributes that are not actually legal on group objects, such as l, ou, and o. If someone creates an ntGroup entry with any of these attributes that is not an ou, the sync'ed entry add will fail on Active Directory because of a schema violation.
182509 The changelog used for replication stores passwords in clear text in order to replicate them. In some contexts, this could be a security risk.
Enable fractional replication and specifically exclude the userPassword attribute from being replicated, which prevents passwords from being written to the changelog. For example:
nsds5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE userPassword
190862 Global syntax checking attributes should be enforced if the settings aren't configured in the local password policy. However, if both global and local password policies are configured, the global policies aren't being enforced as the default.
  1. Enable global syntax checking.
  2. Enable fine-grained password checking.
  3. Edit the local password policy to contain all password syntax attributes. Set the values to something other than the default settings, as listed in the Configuration, Command, and File Reference.
  4. Re-edit the local password policy with the desired values, even if they are the defaults.
191772 If the configuration Directory Server is unavailable, Admin Express shows an internal server error. The task to access the Admin Express web page cannot be authenticated, so the attempt to open the page fails.
510182 If the DNA Plug-in was triggered during an account creation or update operation but that operation fails, the DNA counter is still incremented. This means that there is a gap in the range, where the number is used up but not assigned to an entry attribute.
628911 If a subtree-level rename operation is performed on a subtree which contains either groups or group member entries, the memberof pointers in the user entries are not automatically updated with the new subtree name by the MemberOf Plug-in. Run a memberof fixup task or the fixup-memberof.pl command to force the memberof attributes to be updated.
667943 Restarting the Directory Server hangs if a pipe file is present but the ds-logpipe.py script is not running.
712202 If a replication agreement is configured with an unresolvable hostname, it returns a generic error rather than an indication that the hostname cannot be resolved:
[09/Jun/2011:14:21:21 -0400] slapi_ldap_bind - Error: could not send bind
request for id [(anon)] mech [EXTERNAL]: error -1 (Can't contact LDAP server) 0
(unknown) 0 (Success)
Change the password policy attributes from the command line.
712845 The Directory Server Console does not allow you to set password policy-related time (such as expiration time or user change time) in hours, minutes, or seconds. Change the password policy attributes from the command line.
727659 If a dnaScope value has an unescaped space in the value, then DNA quits working after migration from Directory Server 8.1. Remove the space from the DN in the dnaScope value.
There are a lot of problems associated with trying to load certificates on hardware security modules (HSMs) using the Directory Server Console. Some of these are related to SELinux policies which restrict access to HSMs, and some are due to problems in the Directory Server Console or the Admin Server, which can throw exceptions or fail to generate requests or certificates. Use NSS tools such as certutil to install certificates on HSMs rather than the Directory Server Console.
732079 Upgrading the server fails if the Directory Server user is root. The Directory Server should run as the system user nobody.
737144 At least one font must be installed on a system before the Directory Server Console can be launched. Otherwise, the Console fails to open, with a fatal error:
Exception in thread "main" java.lang.Error: Probable fatal error:No fonts found.
 at sun.font.FontManager.getDefaultPhysicalFont(FontManager.java:1088)
However, because no specific font is required, no font package is listed as a dependency for the Directory Server Console packages.
Install any font package before installing the Directory Server Console packages.
743702 The nsslapd-counters attribute cannot be set to off or the server fails to restart with the error that the counters cannot be found:
[05/Oct/2011:10:07:28 -0400] - slapd stopped.
[05/Oct/2011:10:07:42 -0400] - 389-Directory/ B2011.276.2240 starting
[05/Oct/2011:10:07:42 -0400] - cache_init: slapi counter is not available.
[05/Oct/2011:10:07:42 -0400] - ldbm_instance_create: cache_init failed
The nsslapd-counters attribute must be set to on.
743703 The Directory Server cannot run on the same machine as an NFS share. The Directory Server will stop servicing client requests. Remove any NFS mount points on the server.
757773 If two Directory Server instances are installed on the same machine and both have SSL enabled, the Directory Server Console cannot be used to managed certificates and can lead to a state where any LDAP operations performed through the Directory Server Console are applied to both instances. The Directory Server Console only accepts the standard SSL port, 636, but the instances must have unique ports. When the Directory Server Console is used for the instance with the non-standard port, it resets the server's port number to 636, and eventually begins applying changes to both instances because the Console connects to both over the same port.
  1. Set up the Directory Server to run in SSL, but do not enable SSL for the Directory Server Console yet.
  2. Set the non-standard SSL port in the Directory Server configuration using ldapmodify. For example:
    # ldapmodify -x -h server.example.com -p 1389 -D "cn=directory manager" -w secret
    dn: cn=config
    replace: nsslapd-securePort
    nsslapd-securePort: 1636
  3. Search the Configuration Directory Server for the corresponding SSL port in the administration configuration (o=netscaperoot). For example:
    # ldapsearch -x -h config-ds.example.com -p 389 -D "cn=directory manager" -w secret -b "cn=slapd-ID,cn=389 Directory Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot" -s base "(objectclass=*)"
    dn: cn=slapd-ID,cn=389 Directory Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot
    nsSecureServerPort: 636
  4. Replace the standard SSL port (636) with the non-standard one. For example:
    # ldapmodify -x -h config-ds.example.com -p 389 -D "cn=directory manager" -w secret
    dn: cn=slapd-ID,cn=389 Directory Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot
    replace: nsSecureServerPort
    nsSecureServerPort: 1636
  5. Make sure the CA certificate exists in the Admin Server's certificate database and has the appropriate trust settings. If the certificate is not in the database, import it and restart the Admin Server.
  6. Start the Directory Server Console for the instance.
  7. Open the Configuration tab, and select the top entry in the tree.
  8. Open the Settings tab in the right pane. The Encrypted port field should show the assigned non-standard port.
  9. Open the Encryption tab, and select the Use SSL in Console checkbox.
  10. Restart the server as prompted.
757836 The logconv.pl starts its first connection at conn=0 instead of conn=1, but it expects conn=1. This means that the tools misses restarts in the report.